A VVoIP or VTC hardware endpoint possessing a “PC Port” does not tag its communications traffic using 802.1Q VLAN tagging or the PC port is not disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19659	VVoIP 5710 (LAN)	SV-21800r1_rule	ECSC-1	Medium

Description
NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP frames/packets while the embedded switch passes all frames/packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method.

Description

NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP frames/packets while the embedded switch passes all frames/packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-12-29

Details

Check Text ( C-24018r1_chk )
If the VVoIP or VTC endpoints provide a PC Port (and embedded Ethernet switch), inspect the configurations of the endpoints and/or their configuration settings on the LSC to determine compliance with the following requirement: In the event A VVoIP or VTC hardware endpoint possesses a “PC Port,” ensure the VVoIP packets are tagged with the correct local VVoIP endpoint VLAN ID while passing all traffic entering the PC port unchanged so that these packets are automatically placed in the correct VLAN by the access layer switch. Alternately ensure, if the endpoint cannot maintain this separation, the “PC Port” is disabled. In the event the endpoint contains an Ethernet hub, the PC port may need to be physically disabled (blocked) if it cannot be electronically disabled.

Check Text ( C-24018r1_chk )

If the VVoIP or VTC endpoints provide a PC Port (and embedded Ethernet switch), inspect the configurations of the endpoints and/or their configuration settings on the LSC to determine compliance with the following requirement:

In the event A VVoIP or VTC hardware endpoint possesses a “PC Port,” ensure the VVoIP packets are tagged with the correct local VVoIP endpoint VLAN ID while passing all traffic entering the PC port unchanged so that these packets are automatically placed in the correct VLAN by the access layer switch. Alternately ensure, if the endpoint cannot maintain this separation, the “PC Port” is disabled. In the event the endpoint contains an Ethernet hub, the PC port may need to be physically disabled (blocked) if it cannot be electronically disabled.

Fix Text (F-20363r1_fix)
In the event A VVoIP or VTC hardware endpoint possesses a “PC Port”, configure the VVoIP or VTC endpoint to tag its Ethernet frames with the correct local VVoIP endpoint 802.1Q VLAN ID while passing all traffic entering the PC port to the LAN port unchanged so that these packets are automatically placed in the correct VLAN by the access layer switch. Alternately ensure, if the endpoint cannot maintain this separation, the “PC Port” is disabled. In the event the endpoint contains an Ethernet hub, the PC port may need to be physically disabled (blocked) if it cannot be electronically disabled.

Fix Text (F-20363r1_fix)

In the event A VVoIP or VTC hardware endpoint possesses a “PC Port”, configure the VVoIP or VTC endpoint to tag its Ethernet frames with the correct local VVoIP endpoint 802.1Q VLAN ID while passing all traffic entering the PC port to the LAN port unchanged so that these packets are automatically placed in the correct VLAN by the access layer switch. Alternately ensure, if the endpoint cannot maintain this separation, the “PC Port” is disabled. In the event the endpoint contains an Ethernet hub, the PC port may need to be physically disabled (blocked) if it cannot be electronically disabled.